ComponentSpace

Forums



Idp providing different certificate for signing vs encryption


Idp providing different certificate for signing vs encryption

Author
Message
IncentiveServices
IncentiveServices
New Member
New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)

Group: Forum Members
Posts: 6, Visits: 48
The partner Idp has specified different certificates for signing vs encryption in the metadata file. I want to confirm that in SamlConfiguration for PartnerCertificateFile property, I should point to the signing certificate of partner Idp. Can you please clarify how this should be handled?

<md:KeyDescriptor use="signing"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate> ....... </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use="encryption"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate> ....... </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo></md:KeyDescriptor>

ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
That's correct. You should specify the signing certificate for the partner identity provider.
You should store the certificate either on the file system as a .cer file or in the Windows certificate store.
The following article describes how to reference the certificate in the SAML configuration.
http://www.componentspace.com/Forums/44/X.509-Certificate-Management


Regards
ComponentSpace Development
IncentiveServices
IncentiveServices
New Member
New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)

Group: Forum Members
Posts: 6, Visits: 48
Thanks
siwy
siwy
New Member
New Member (1 reputation)New Member (1 reputation)New Member (1 reputation)New Member (1 reputation)New Member (1 reputation)New Member (1 reputation)New Member (1 reputation)New Member (1 reputation)New Member (1 reputation)

Group: Forum Members
Posts: 1, Visits: 5
What should happen with the encryption certificate in that case? I do not see a way to configure encryption certificate in PartnerIdentityProviderConfiguration class.
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
The partner IdP's encryption certificate should be ignored as it's not used for anything.
The only encryption certificate that would be used is the SP's.
The SP's encryption certificate is used if the SAML assertion is to be encrypted.


Regards
ComponentSpace Development
Hoon Kim
Hoon Kim
New Member
New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)

Group: Forum Members
Posts: 8, Visits: 40
ComponentSpace - 9/21/2018
The partner IdP's encryption certificate should be ignored as it's not used for anything.
The only encryption certificate that would be used is the SP's.
The SP's encryption certificate is used if the SAML assertion is to be encrypted.

Hi I was struggling for two certificates with one service provider.
You mentioned that SP's encryption certificate is used for assertion encryption.
How do we manage this for your ComponentSpace library?

We are IDP and our partner as SP sends two certificates for signing and encryption as metadata.
But ComponentSpace library imports only one certificates. Is there anyway grab all certificates and imports them then
use them separately for signing and encryption at SendSSO?

Thanks for your help in advance.
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Currently there's a limitation in that we don't distinguish between signature and encryption certificates in the SAML configuration.
In most use cases the same certificate is used for both.
If the partner SP requires you would need to implement a custom ICertificateManager.
However, I would first ask the SP if they could use a single certificate instead.
If they're unwilling to do this, I can provide details on how to implement ICertificateManager.

Regards
ComponentSpace Development
Hoon Kim
Hoon Kim
New Member
New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)

Group: Forum Members
Posts: 8, Visits: 40
ComponentSpace - 1/22/2019
Currently there's a limitation in that we don't distinguish between signature and encryption certificates in the SAML configuration.
In most use cases the same certificate is used for both.
If the partner SP requires you would need to implement a custom ICertificateManager.
However, I would first ask the SP if they could use a single certificate instead.
If they're unwilling to do this, I can provide details on how to implement ICertificateManager.

Thanks for your support. 
Actually there is no way we can avoid two certificates at this time.
Please advise me how I could accomplish in custom way.

Thanks again.
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Please contact [email protected] mentioning your requirement for separate certificates.
We can discuss the available options and will look at whether we can add better support in the timeframe.



Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 3 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search